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DETAILED ACTION 
Response to Arguments 

1. In response to comriiunications filed on 8/22/2005, applicant amends claims 1, 14, 23, 
and 27. The following claims 1-3 1 are presented for examination. 

2. Applicant's arguments, see pages 9-12, filed on 8/22/2005, with respect to the rejection 
of claims 1-31, under 35 USC 103 (a) have been fully considered but they are not persuasive as 
amended. Applicant has amended the independent claims 1, 14, 23, and 27 to further recite that 
"the policy module and the transparent proxy reside within the same environment". Applicant 
has not overcome the rejection by amending the claims because Green discloses a transparent 
proxy comprising a connection manager and a security manager that meets the recitation of 
policy module residing within the same environment with the transparent proxy (see figure 3b 
and column 5, lines 34-40), that can securely monitor and control communication between the 
cHent and the server in accordance with a defined security poUcy (column 5, lines 15-32). The 
client transfers data request to the proxy, requesting information from a server, the proxy 
comprises modules and components wherein a connection manager operates with a security 
monitor which monitors the data from the client for conformance with predefined conditions and 
provides control information to the connection manager of the proxy which in turns controls the 
relay and directs it whether to establish connections to the server (see column 8, lines 14-25). 
Examiner maintains the rejection of claims 1-3 1 under 103(a) in view of the same references. 



Claim Rejections - 35 USC § 103 
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3. The following is a quotation of 35 U.S. C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or 
described as set forth in section 102 of this title, if the differences between the subject matter 
sought to be patented and the prior art are such that the subject matter as a whole would have 
been obvious at the time the invention was made to a person having ordinary skill in the art to 
which said subject matter pertains. Patentability shall not be negatived by the manner in which 
the invention was made. 

3.1 Claims 1-3, 7-8, 9-17, and 20-28 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over US Patent 6,401,125 to Makarios et ai in view of US Patent 6,003,084 to 
Green et al. 

3.2 As per claims 1, 14-17, Makarios et al substantially teaches a method for brokering 
state information exchanged between computers using at least one protocol above a transport 
layer, the method comprising the steps of receiving at a proxy a request from a cUent requesting 
a resource of an origin server wherein the transparent proxy is unknown to the client (column 4, 
lines 53-56) the proxy disclosed meets the recitation of transparent proxy as the proxy is 
unknown to the client as the client sends the URL directly to a server. Makarios et al discloses 
redirecting the client request from the proxy to a signup web page with an address that meets the 
recitation of policy module with identifier of claim 14 (column 4, lines 51-53 and column 5, lines 
10-15); obtaining enforcement data provided by the policy module (column 5, lines 15-27 and 



Application/Control Number: 09/484,69 1 Page 4 

Art Unit: 2136 

column 3, lines 1-10); a proxy cookie is generated in response to login information of the user 
and transmitting to the user to use as an authentication for further interactions with the proxy that 
meets the recitation of generating at the proxy a policy state token in response to the policy 
enforcement data (column 5, Unes 19-51); and transmitting the policy state token from the proxy 
to the chent wherein the policy state token is used as an authentication of the client to the 
transparent proxy for subsequent interactions between the client and the transparent proxy. 
Although Makarios et ai discloses the claimed method steps of claim 1, Makarios et al does 
not provide enough details on the architecture implemented in the invention. Green et al in an 
analogous art teaches a memory configured at least in part by a transparent proxy process, a 
processor for running the transparent proxy process, (see figure 1) at least one link for networked 
communication between the transparent proxy process, on the one hand, and a client computer 
and an origin server, on the other hand, for example (see figures 2 and 3); Green et al further 
teaches a secure transparent proxy that is transparent to both a client and a server (column 9, 
lines 5-12) and transmitting packets in accordance with a defined security policy (column 5, lines 
25-30) having a security module to verify whether to grant or deny access to proxy services 
(column 7, line 48 through column 8, line 25 and column 9, line 12-67). Green et al discloses a 
transparent proxy comprising a connection manager and a security manager that meets the 
recitation of policy module residing within the same environment with the transparent proxy (see 
figure 3b and column 5, lines 34-40). In one embodiment, the proxy comprises a connection 
manager and a security manager that meets the recitation of policy module residing within the 
same environment with the transparent proxy (see figure 3b and column 5, lines 34-40), the 
proxy incorporates features of both appHcation gateways and proxies to better serve client or the 
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server depending on which side caused the firewall action to be triggered; and further discloses 
several advantages of the invention associated with the transparent proxy (column 5, Unes 55 
through column 6, line 20). Green et al discloses wherein policy enforcement data is received 
from the policy module because as the client transfers data request to the proxy, requesting 
information from a server, the proxy comprises modules and components wherein a connection 
manager operates with a security monitor which monitors the data from the client for 
conformance with predefined conditions and provides control information to the connection 
manager of the proxy which in turns controls the relay and directs it whether to establish 
connections to the server (see column 8, lines 14-25). In another embodiment, the proxy uses a 
filter component that also meets the recitation of poUcy module, and the filter component 
processes the policy enforcement data an returns status to the communication component of the 
proxy, based on the status, the proxy communicates accordingly to the server (see column 10, 
lines 28-47). Therefore, it would have been obvious to one of ordinary skilled in the art at the 
time the invention was made to modify the invention of Makarios et al to implement some of 
the features of the inventive concept of Green et al, which provides a transparent proxy 
comprising security modules with more security and more versatility as taught by Green et al. 
One skilled in the art would have been motivated to do so because the transparent proxy 
disclosed by Green et al is transparent to both the client and the server, incorporating features of 
both application gateways and proxies, easy to configure, (see column 5, line 55 through column 
6, line 20), it also provides more security and more versatility where additional filtering may be 
performed as desired, and it is associated with policy module that allows the proxy to use any 
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defined protocols in accordance to defined security policy and provides transparency wherein no 
devices need to change any configuration information (column 9, lines 1 1-60). 

As per claims 2-3, Makarios et al discloses the limitation of receiving at the proxy a 
renewed request for the origin server resource, the renewed request containing the policy state 
token, wherein the renewed request contains the policy state token in a cookie in a header sent 
from the chent to the proxy, for example (column 5, lines 25-32). 

As per claims 7-8, Makarios et al teaches the limitation of wherein HTTP or HTTPS is 
a protocol used during at least one of the receiving and transmitting steps (column 3, lines 30- 
67). 

As per claim 10, the combination of Makarios et al and Green et al teaches directory 
access protocol for authentication of client that meets the recitation of utilizing LD AP as a 
software to provide authentication information about the client and the transparent policy 
enforcement data obtained by the transparent proxy depends on the authentication thus provided 
(Green et al, column 9, lines 12-47). Therefore, claim 10 is rejected on the same rationale as the 
rejection of claim 1 . 

Claims 9 and 11 are similar to the rejected claim 10 except for utilizing Novell 
Directory Services and SSL software respectively instead of LDAP. Green et al discloses other 
directory service protocols and any protocols used in X400's X500's. Therefore using NDS or 
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SSL would have been obvious to one skilled in the art, as these protocols are well known. 
Therefore, claims 9 and 1 1 are rejected on the same rationale as the rejection of claim 1. 

As per claim 12, Makarios et al. teaches the limitation of wherein the obtaining step 
extracts policy enforcement data from a redirection address field (see column 3, lines 1-10). 

As per claim 13, Makarios et ah teaches the limitation of wherein the transmitting step 
transmits the policy state token in a cookie in a header sent from the proxy to the client (column 
10-32). 

As per claims 20-22, claim 20 adds another proxy with similar limitations as the rejected 
claim 14, To one with ordinary skilled in the art, the network can comprise of any number of 
clients and servers and adding more than one proxy to share some of the functions would have 
been a design choice and obvious to one skilled in the art because assigning proxies to handle 
specific functions or protocols is well known in the art. 

Claims 23 and 28 recite some of the limitations found in claim 1 except for 
implementing the claimed method in a computer system and for using a first signal including a 
redirection command which specifies the policy module address as a redirection target (see 
Makarios et al, column 5, lines 10-25); and a second signal including a redirection command 
which specifies the transparent proxy server address as a redirection target (Makarios et al, 
column 5, lines 30-32). Makarios et al discloses a signup web page with an address that meets 
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the recitation of policy module address. Green and al discloses the amended limitations of 
claim 23 as discussed in claim 1 above. Therefore, claims 23 and 28 are also rejected on the 
same rationale as the rejection of claim 1. 

As per claim 24, Makarios et al teaches the limitation of wherein the first signal 
includes an identity broker address as the policy module address (see column 5, lines 10-25). 

As per claim 25, Makarios et al teaches the limitation of wherein the first signal 
includes a login server address as the policy module address (see column 5, lines 10-25), 

As per claim 26, Makarios et al teaches the limitation of wherein the second signal 
includes the policy enforcement data embedded in an address field with the transparent proxy 
server address (see column 5, lines 10-25). 

Claims 27 is similar to the rejected claim 1, except for incorporafing the claimed method 
of claim 1 into a computer medium. Therefore, claim 27 is rejected on the same rationale as the 
rejection of claim 1. 

4. Claims 4, 6, 18, 19, 29, and 30 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over US Patent 6,401,125 to Makarios et al in view of US Patent 6,003,084 to Green et al as 
applied to claims 1-3 above and further in view of US Patent PubUcation US 2002/0007317 to 
Callaghan et al. 
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As per claim 4, Makarios et al discloses stripping in the proxy cookie to customize the 
client's information request as appropriate to the server (column 3, lines 1-10), Callaghan et aK 
in an analogous art teaches the step of forwarding to the origin server a portion of the renewed 
request, the forwarded portion omitting the policy state token (see page 6, paragraphs 88-90). 
Callaghan et al. further teaches in other embodiments the step of stripping off the state token 
(see page 4, paragraph 61 and page 5, paragraph 81). Therefore, it would have been obvious to 
one of ordinary skilled in the art at the time the invention was made to modify the method as 
combined above to omit the policy state token when forwarding the request to server. One 
skilled in the art would have been motivated to do so because by omitting the poUcy state token 
the proxy can maintain the proxy cookie information secret to the server. The other advantage of 
adding and omitting state information as disclosed by Callaghan et al is that it enables a proxy 
to customize request and response as it fits to the proxy (page 4, paragraphs 61-62). 

As per claim 6, Callaghan et al. teaches further comprising the steps at the proxy of 
forwarding to the client at least a portion of a communication from the origin server, and 
forwarding to the origin server at least a portion of a communication from the client (page 5, 
paragraphs 81-82), Therefore, claim 6 is rejected on the same rationale as the rejection of claim 
4. 

Claim 18 recites some of the limitations of claims 1 and 4 as discussed above. For 
instance. Green et al discloses transparent proxy service that is transparent to both client and 
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server, the combined references above also teach the step of accepting the authorization from the 
client with a renewed client request for the origin server resource; forwarding the renewed client 
request to the origin server without forwarding the authorization but with an indication to the 
origin server that the transparent proxy server is the source of the forwarded request, and then 
transparently forwarding the requested resource from the origin server to the client as mentioned 
in claims 1 and 4. Therefore claim 18 is rejected on the same rationale as the rejection of claims 
1 and 4. 

As per claim 19, Makarios et al teaches the Umitation of wherein the transparent proxy 
server sends the client the authorization by sending the cUent a proxy cookie for use in 
subsequent communications from the cHent, for example (see column 5, lines 19-51). 

Claims 29 and 30 recite some of the limitations found in claim 18, therefore they are 
rejected on the same rationale as the rejection of claim 18. 

5. Claim 5 is rejected under 35 U.S.C. 103(a) as being unpatentable over US Patent 
6,401,125 to Makarios et al in view of US Patent 6,003,084 to Green et al, in view of US 
Patent Publication US 2002/0007317 to Callaghan et al as appUed to claim 4 above and further 
in view of US Patent 5,805,803 to Birrell et ah. 

As per claim 5, Makarios et al discloses an example of reply containing an origin state 
token for use by the proxy in its subsequent communications with a (column 5, lines 55-65). It is 
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obvious to one skilled to the art that the same concept can be appUed in the server side (see 
figure 2) as the proxy is capable of saving the cookie for future interactions with the server. 
Green et al discloses transparency with both the server and the client and discloses interaction 
between the proxy and the server (column 1 1, lines 5-17). Birrell et al. in an analogous art 
discloses receiving at the proxy a reply from the origin server, the reply containing an origin 
state token for use by the proxy in its subsequent communications with the origin server, for 
example (see column 4, lines 51-65). Therefore, it would have been obvious to one of ordinary 
skilled in the art at the time the invention was made to modify the method as combined above to 
include the step of receiving at the proxy a reply from the origin server, the reply containing an 
origin state token for use by the proxy in its subsequent communications with the origin server. 
One skilled in the art would have been motivated to do so because using the origin state token for 
use by the proxy in its subsequent communications with the origin server will allow the proxy to 
save in time and bandwidth if the server is already known to the server rather than authenticating 
at every session (column 4, Hnes 51-65 and 13-26). 

6. Claim 31 is rejected under 35 U.S.C. 103(a) as being unpatentable over US Patent 
6,401,125 to Makarios et al in view of US Patent 6,003,084 to Green et al as applied to claim 
27 above and further in view of US Patent PubHcation US Patent 6,728,884 to Lim. 

As per claim 31, both references substantially teach the step of generating at the proxy a 
policy state token in response to the policy enforcement data (Makarios et al, column 5, lines 
. 19-51); transmitting the policy state token from the proxy to the client (Makarios et al, column 
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5, lines 19-51); receiving the proxy cookie from the client with a renewed chent request for the 
origin server resource (Makarios et al, column 5, lines 19-51), and redirecting client request 
from a transparent proxy to a policy module and accepting the policy enforcement data 
(Makarios et al, column 5, Hnes 19-51). Neither of the references explicitly teach redirecting a 
request from a second transparent proxy to be to, and accepting the policy enforcement data at 
the second transparent proxy. To a person skilled in the art it is apparent that the proxy disclosed 
by the combined references above can be implemented in more than one computer to obtain a 
second transparent proxy that will perform the same function. Load balancing is well known in 
the art; and in load balancing, another transparent proxy or gateway can perform a specific 
function when the first one is not available. Lim in an analogous art teaches a plurality of proxy 
servers associated with several security modules to control and provide access to resources 
(column 3, lines 40-57). Lim discloses proxy configuration data that specifies the configuration 
of each proxy servers; the proxy configuration data specifies whether a particular proxy security 
server provides authorization services (column 6, line 65 through column 7, line 5) and discloses 
request can be received by a specific proxy server since the request may include data that 
indicates which proxy servers to use and further discloses proxy server requests security module 
(column 5, Hnes 60-67 and column 6, lines 15-20); a returned cookie is required for access to 
resources (column 6, lines 34-35) and further discloses that not all the proxies may provide the 
same set of services a service may be available for a specific service while another server 
provides that particular service (column 8, lines 59-67) that meets the recitation of accepting at 
the second transparent proxy the second poHcy enforcement data provided by the policy module, 
the second policy enforcement data including authorization from the policy module for the client 
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to access the resource through the second transparent proxy. Therefore, it would have been 
obvious to one of ordinary skilled in the art at the time the invention was made to modify the 
method as combined above to include a second transparent proxy where a request can be 
received after the first proxy becomes unavailable and accepting at a second proxy policy 
enforcement data from policy module for authorization to access resources as suggested by Lim. 
One skilled in the art would have been motivated to utilize more than one proxy because it 
provides the advantage of governing access to more information resources and selective proxies 
can be assigned to specific security policies and if there is a need for reconfiguration other 
proxies will be available (see column 2, Unes 27-36) as suggested by Lim. 

Conclusion 

7. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the mailing 
date of this final action. 
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7. 1 Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Carl Colin whose telephone number is 571-272-3862. The 
examiner can normally be reached on Monday through Thursday, 8:00-6:30 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on 571-272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov . Should you have questions on access to the Private 
PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 



Carl Colin 



Patent Examiner 



October 28, 2005 
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